Bug 624547 - attrcrypt should query the given slot/token for supported ciphers
Summary: attrcrypt should query the given slot/token for supported ciphers
Alias: None
Product: 389
Classification: Retired
Component: Security - General
Version: 1.2.8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Ben Levenson
Depends On:
Blocks: 639035 389_1.2.8
TreeView+ depends on / blocked
Reported: 2010-08-16 20:34 UTC by Marco Rhodes
Modified: 2015-12-10 18:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-12-10 18:38:31 UTC

Attachments (Terms of Use)
git patch file (master) (1.53 KB, patch)
2011-01-25 01:35 UTC, Noriko Hosoi
no flags Details | Diff
git patch file (master) (15.32 KB, patch)
2011-01-27 20:01 UTC, Noriko Hosoi
nkinder: review+
Details | Diff

Comment 4 Noriko Hosoi 2011-01-25 01:35:21 UTC
Created attachment 475097 [details]
git patch file (master)

The reported problem was caused by the bug in ldbm_attrcrypt.c which did not expect to have an external PKCS #11 token.  This patch successfully initializes ldbm_attrcrypt.

But ldbm_attrcrypt fails once trying to encrypt an attribute. e.g.:
dn: cn=givenname,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugi
objectClass: top
objectClass: nsAttributeEncryption
cn: givenname
nsEncryptionAlgorithm: AES [ or 3DES ]

error log:
[..] attrcrypt - _back_crypt_crypto_op: failed on cipher AES : -8192 - An I/O error occurred during security authorization.
[..] - Error: attrcrypt_crypto_op_values failed in attrcrypt_encrypt_entry
[..] - attrcrypt_encrypt_entry failed in id2entry_add

Comment 7 Noriko Hosoi 2011-01-27 20:01:46 UTC
Created attachment 475673 [details]
git patch file (master)

1. To retrieve a certificate from an external token (i.e., not
   "internal (software)"), "<token>:<cert_nickname> should have
   been passed.  The <token> part was missing.
2. The key to be used for encryption and decryption internally
   needs to have ENCRYPT and DECRYPT attribute set, respectively.
   The correct attributes were not set.  Note: these attributes
   are automatically set for the softoken in nss, but not for the
   external token.  This is why attrcrypt worked for the softoken,
   but not for the external token.  The attributes need to be set
   when the key is generated as well as when the key is unwrapped.
3. Adding a code to check if the underlying system supports the
   cipher or not before generating a key.  If it is not supported,
   it issues a message not to choose the cipher for the attrcrypt/
   changelog encryption.  If none of the ciphers are supported and
   if attrcrypt/changelog encryption is enabled, the server fails
   to start.

Comment 8 Noriko Hosoi 2011-01-27 20:42:30 UTC
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 624547
Updating 7ece306..57dcdf1
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c |  141 ++++++++++++++++++++----
 ldap/servers/slapd/proto-slap.h               |    3 +
 ldap/servers/slapd/security_wrappers.c        |   36 ++++++-
 3 files changed, 151 insertions(+), 29 deletions(-)

$ git push
Counting objects: 17, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 3.26 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   7ece306..57dcdf1  master -> master

Comment 11 Chandrasekar Kannan 2011-07-19 14:07:01 UTC
I tried to verify this bug. But I was not able to setup ds (use the wizard and generate key pair to setup ssl certs) with our newest nethsm6k.dsdev.sjc.redhat.com. that hardware token is in fips mode. my machine is selinux permissive. I'm still troubleshooting the problem.

Note You need to log in before you can comment on or make changes to this bug.